high
7.5
CWE
190
Advisory Published
CVE Published
Updated

CVE-2021-23840: Integer overflow in CipherUpdate

First published: Tue Feb 16 2021(Updated: )

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Credit: openssl-security@openssl.org openssl-security@openssl.org

Affected SoftwareAffected VersionHow to fix
redhat/jbcs-httpd24-apr<0:1.6.3-107.el8
0:1.6.3-107.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.el8
0:1.6.1-84.el8
redhat/jbcs-httpd24-curl<0:7.78.0-2.el8
0:7.78.0-2.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-78.el8
0:2.4.37-78.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.el8
0:1.39.2-39.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.el8
1:1.1.1g-8.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.el8
0:1.0.0-7.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.el8
0:0.4.10-22.el8
redhat/jbcs-httpd24-apr<0:1.6.3-107.jbcs.el7
0:1.6.3-107.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-84.jbcs.el7
0:1.6.1-84.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.78.0-2.jbcs.el7
0:7.78.0-2.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-78.jbcs.el7
0:2.4.37-78.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.39.2-39.jbcs.el7
0:1.39.2-39.jbcs.el7
redhat/jbcs-httpd24-openssl<1:1.1.1g-8.jbcs.el7
1:1.1.1g-8.jbcs.el7
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-7.jbcs.el7
0:1.0.0-7.jbcs.el7
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-22.jbcs.el7
0:0.4.10-22.jbcs.el7
redhat/openssl<1:1.0.2k-22.el7_9
1:1.0.2k-22.el7_9
redhat/edk2<0:20210527gite1999b264f1f-3.el8
0:20210527gite1999b264f1f-3.el8
redhat/openssl<1:1.1.1k-4.el8
1:1.1.1k-4.el8
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el7
0:9.0.50-3.redhat_00004.1.el7
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el7
0:1.2.30-3.redhat_3.el7
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el7
0:1.1.8-4.Final_redhat_00004.1.el7
redhat/jws5-tomcat<0:9.0.50-3.redhat_00004.1.el8
0:9.0.50-3.redhat_00004.1.el8
redhat/jws5-tomcat-native<0:1.2.30-3.redhat_3.el8
0:1.2.30-3.redhat_3.el8
redhat/jws5-tomcat-vault<0:1.1.8-4.Final_redhat_00004.1.el8
0:1.1.8-4.Final_redhat_00004.1.el8
IBM Security Verify Bridge<=All
redhat/openssl<1.1.1
1.1.1
redhat/openssl<1.0.2
1.0.2
debian/openssl
1.1.1w-0+deb11u1
1.1.1w-0+deb11u2
3.0.15-1~deb12u1
3.0.14-1~deb12u2
3.4.1-1
OpenSSL libcrypto>=1.0.2<1.0.2y
OpenSSL libcrypto>=1.1.1<1.1.1j
Debian=10.0
Tenable Log Correlation Engine<6.0.8
Tenable Nessus Network Monitor=5.11.0
Tenable Nessus Network Monitor=5.11.1
Tenable Nessus Network Monitor=5.12.0
Tenable Nessus Network Monitor=5.12.1
Tenable Nessus Network Monitor=5.13.0
Oracle Business Intelligence Enterprise Edition=5.5.0.0.0
Oracle Business Intelligence Enterprise Edition=5.9.0.0.0
Oracle Business Intelligence Enterprise Edition=12.2.1.3.0
Oracle Business Intelligence Enterprise Edition=12.2.1.4.0
oracle communications Cloud native core policy=1.15.0
oracle enterprise manager for storage management=13.4.0.0
Oracle Enterprise Manager Ops Center=12.4.0.0
Oracle GraalVM Enterprise Edition=19.3.5
Oracle GraalVM Enterprise Edition=20.3.1.2
Oracle GraalVM Enterprise Edition=21.0.0.2
Oracle JD Edwards EnterpriseOne Tools<9.2.6.0
oracle jd edwards world security=a9.4
MySQL<5.7.33
MySQL>=8.0.15<8.0.23
Oracle NoSQL Database<20.3
Trellix ePolicy Orchestrator<5.10.0
Trellix ePolicy Orchestrator=5.10.0
Trellix ePolicy Orchestrator=5.10.0-update_1
Trellix ePolicy Orchestrator=5.10.0-update_10
Trellix ePolicy Orchestrator=5.10.0-update_2
Trellix ePolicy Orchestrator=5.10.0-update_3
Trellix ePolicy Orchestrator=5.10.0-update_4
Trellix ePolicy Orchestrator=5.10.0-update_5
Trellix ePolicy Orchestrator=5.10.0-update_6
Trellix ePolicy Orchestrator=5.10.0-update_7
Trellix ePolicy Orchestrator=5.10.0-update_8
Trellix ePolicy Orchestrator=5.10.0-update_9
All of
Oracle Fujitsu M10-1 Firmware<xcp2410
Oracle Fujitsu M10-1
All of
Oracle Fujitsu M10-4 Firmware<xcp2410
Oracle Fujitsu M10-4
All of
fujitsu m10-4s firmware<xcp2410
fujitsu m10-4s
All of
Oracle Fujitsu M12-1 Firmware<xcp2410
Oracle Fujitsu M12-1 Firmware
All of
Oracle Fujitsu M12-2 Firmware<xcp2410
fujitsu m12-2
All of
fujitsu m12-2s firmware<xcp2410
Fujitsu SPARC M12-2S
All of
Oracle Fujitsu M10-1 Firmware<xcp3110
Oracle Fujitsu M10-1
All of
Oracle Fujitsu M10-4 Firmware<xcp3110
Oracle Fujitsu M10-4
All of
fujitsu m10-4s firmware<xcp3110
fujitsu m10-4s
All of
Oracle Fujitsu M12-1 Firmware<xcp3110
Oracle Fujitsu M12-1 Firmware
All of
Oracle Fujitsu M12-2 Firmware<xcp3110
fujitsu m12-2
All of
fujitsu m12-2s firmware<xcp3110
Fujitsu SPARC M12-2S
Node.js>=10.0.0<=10.12.0
Node.js>=10.13.0<10.24.0
Node.js>=12.0.0<=12.12.0
Node.js>=12.13.0<12.21.0
Node.js>=14.0.0<=14.14.0
Node.js>=15.0.0<15.10.0
Node.js=14.15.0
Oracle Fujitsu M10-1 Firmware<xcp2410
Oracle Fujitsu M10-1
Oracle Fujitsu M10-4 Firmware<xcp2410
Oracle Fujitsu M10-4
fujitsu m10-4s firmware<xcp2410
fujitsu m10-4s
Oracle Fujitsu M12-1 Firmware<xcp2410
Oracle Fujitsu M12-1 Firmware
Oracle Fujitsu M12-2 Firmware<xcp2410
fujitsu m12-2
fujitsu m12-2s firmware<xcp2410
Fujitsu SPARC M12-2S
Oracle Fujitsu M10-1 Firmware<xcp3110
Oracle Fujitsu M10-4 Firmware<xcp3110
fujitsu m10-4s firmware<xcp3110
Oracle Fujitsu M12-1 Firmware<xcp3110
Oracle Fujitsu M12-2 Firmware<xcp3110
fujitsu m12-2s firmware<xcp3110

Remedy

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1

Remedy

https://www.oracle.com//security-alerts/cpujul2021.html

Remedy

https://www.oracle.com/security-alerts/cpuApr2021.html

Remedy

https://www.oracle.com/security-alerts/cpuapr2022.html

Remedy

https://www.oracle.com/security-alerts/cpujan2022.html

Remedy

https://www.oracle.com/security-alerts/cpuoct2021.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID for this OpenSSL vulnerability?

    The vulnerability ID for this OpenSSL vulnerability is CVE-2021-23840.

  • What is the severity of CVE-2021-23840?

    CVE-2021-23840 has a severity level of high.

  • What is the impact of CVE-2021-23840?

    CVE-2021-23840 can cause a denial of service (DoS) due to an integer overflow in CipherUpdate.

  • How can I fix CVE-2021-23840?

    To fix CVE-2021-23840, update OpenSSL to the recommended version provided by the vendor.

  • Where can I find more information about CVE-2021-23840?

    You can find more information about CVE-2021-23840 on the IBM X-Force Exchange website and the OpenSSL website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203